Red Hat, Inc. (AV:N/AC:H/Au:S/C:P/I:P/A:P)

It was found that oVirt did not correctly terminate sessions when a user logged out from the web interface. Upon logout, only the engine session was invalidated but the restapi session persisted. An attacker able to obtain the session data, and able to log in with their own credentials, could replace their session token with the stolen token and elevate their privileges to those of the victim user. Note that in order for this flaw to be exploited, the attacker must also have a valid login and authenticate successfully.

oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user.

https://access.redhat.com/errata/RHBA-2015:0230 [No Types Assigned]

https://access.redhat.com/security/cve/CVE-2014-7851 [No Types Assigned]